openflow

package
v0.12.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 26, 2021 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// PacketIn reasons
	PacketInReasonTF ofpPacketInReason = 1
	PacketInReasonNP ofpPacketInReason = 0
)
View Source
const (
	// Flow table id index
	ClassifierTable binding.TableIDType = 0

	AntreaPolicyEgressRuleTable binding.TableIDType = 45
	DefaultTierEgressRuleTable  binding.TableIDType = 49
	EgressRuleTable             binding.TableIDType = 50
	EgressDefaultTable          binding.TableIDType = 60
	EgressMetricTable           binding.TableIDType = 61

	AntreaPolicyIngressRuleTable binding.TableIDType = 85
	DefaultTierIngressRuleTable  binding.TableIDType = 89
	IngressRuleTable             binding.TableIDType = 90
	IngressDefaultTable          binding.TableIDType = 100
	IngressMetricTable           binding.TableIDType = 101

	L2ForwardingOutTable binding.TableIDType = 110
)
View Source
const (
	PortCacheReg regType = 1

	EgressReg    regType = 5
	IngressReg   regType = 6
	TraceflowReg regType = 9 // Use reg9[28..31] to store traceflow dataplaneTag.
	// CNPDropConjunctionIDReg reuses reg3 which will also be used for storing endpoint IP to store the rule ID. Since
	// the service selection will finish when a packet hitting NetworkPolicy related rules, there is no conflict.
	CNPDropConjunctionIDReg regType = 3

	CtZone   = 0xfff0
	CtZoneV6 = 0xffe6
	// CtZoneSNAT is only used on Windows and only when AntreaProxy is enabled.
	// When a Pod access a ClusterIP Service, and the IP of the selected endpoint
	// is not in "cluster-cidr". The request packets need to be SNAT'd(set src IP to local Node IP)
	// after have been DNAT'd(set dst IP to endpoint IP).
	// For example, the endpoint Pod may run in hostNetwork mode and the IP of the endpoint
	// will is the current Node IP.
	// We need to use a different ct_zone to track the SNAT'd connection because OVS
	// does not support doing both DNAT and SNAT in the same ct_zone.
	//
	// An example of the connection is a Pod accesses kubernetes API service:
	// Pod --> DNAT(CtZone) --> SNAT(CtZoneSNAT) --> Endpoint(API server NodeIP)
	// Pod <-- unDNAT(CtZone) <-- unSNAT(CtZoneSNAT) <-- Endpoint(API server NodeIP)
	CtZoneSNAT = 0xffdc

	ServiceCTMark = 0x21

	// disposition is loaded in marksReg [21]
	DispositionMarkReg regType = 0
	// disposition marks the flow action as either Allow or Drop
	DispositionAllow = 0b0
	DispositionDrop  = 0b1
)

Variables

View Source
var (
	MatchDstIP         = types.NewMatchKey(binding.ProtocolIP, types.IPAddr, "nw_dst")
	MatchSrcIP         = types.NewMatchKey(binding.ProtocolIP, types.IPAddr, "nw_src")
	MatchDstIPNet      = types.NewMatchKey(binding.ProtocolIP, types.IPNetAddr, "nw_dst")
	MatchSrcIPNet      = types.NewMatchKey(binding.ProtocolIP, types.IPNetAddr, "nw_src")
	MatchDstIPv6       = types.NewMatchKey(binding.ProtocolIPv6, types.IPAddr, "ipv6_dst")
	MatchSrcIPv6       = types.NewMatchKey(binding.ProtocolIPv6, types.IPAddr, "ipv6_src")
	MatchDstIPNetv6    = types.NewMatchKey(binding.ProtocolIPv6, types.IPNetAddr, "ipv6_dst")
	MatchSrcIPNetv6    = types.NewMatchKey(binding.ProtocolIPv6, types.IPNetAddr, "ipv6_src")
	MatchDstOFPort     = types.NewMatchKey(binding.ProtocolIP, types.OFPortAddr, "reg1[0..31]")
	MatchSrcOFPort     = types.NewMatchKey(binding.ProtocolIP, types.OFPortAddr, "in_port")
	MatchTCPDstPort    = types.NewMatchKey(binding.ProtocolTCP, types.L4PortAddr, "tp_dst")
	MatchTCPv6DstPort  = types.NewMatchKey(binding.ProtocolTCPv6, types.L4PortAddr, "tp_dst")
	MatchUDPDstPort    = types.NewMatchKey(binding.ProtocolUDP, types.L4PortAddr, "tp_dst")
	MatchUDPv6DstPort  = types.NewMatchKey(binding.ProtocolUDPv6, types.L4PortAddr, "tp_dst")
	MatchSCTPDstPort   = types.NewMatchKey(binding.ProtocolSCTP, types.L4PortAddr, "tp_dst")
	MatchSCTPv6DstPort = types.NewMatchKey(binding.ProtocolSCTPv6, types.L4PortAddr, "tp_dst")
	Unsupported        = types.NewMatchKey(binding.ProtocolIP, types.UnSupported, "unknown")
)
View Source
var (
	// APDispositionMarkRange takes the 21 to 21 bits of register marksReg to indicate disposition of Antrea Policy.
	APDispositionMarkRange = binding.Range{21, 21}
)
View Source
var DispositionToString = map[uint32]string{
	DispositionAllow: "Allow",
	DispositionDrop:  "Drop",
}
View Source
var (
	FlowTables = []struct {
		Number binding.TableIDType
		Name   string
	}{
		{ClassifierTable, "Classification"},
		{uplinkTable, "Uplink"},
		{spoofGuardTable, "SpoofGuard"},
		{arpResponderTable, "ARPResponder"},
		{ipv6Table, "IPv6"},
		{serviceHairpinTable, "ServiceHairpin"},
		{conntrackTable, "ConntrackZone"},
		{conntrackStateTable, "ConntrackState"},
		{dnatTable, "DNAT(SessionAffinity)"},
		{sessionAffinityTable, "SessionAffinity"},
		{serviceLBTable, "ServiceLB"},
		{endpointDNATTable, "EndpointDNAT"},
		{AntreaPolicyEgressRuleTable, "AntreaPolicyEgressRule"},
		{EgressRuleTable, "EgressRule"},
		{EgressDefaultTable, "EgressDefaultRule"},
		{EgressMetricTable, "EgressMetric"},
		{l3ForwardingTable, "l3Forwarding"},
		{l2ForwardingCalcTable, "L2Forwarding"},
		{AntreaPolicyIngressRuleTable, "AntreaPolicyIngressRule"},
		{IngressRuleTable, "IngressRule"},
		{IngressDefaultTable, "IngressDefaultRule"},
		{IngressMetricTable, "IngressMetric"},
		{conntrackCommitTable, "ConntrackCommit"},
		{hairpinSNATTable, "HairpinSNATTable"},
		{L2ForwardingOutTable, "Output"},
	}
)

Functions

func GetAntreaPolicyBaselineTierTables added in v0.11.0

func GetAntreaPolicyBaselineTierTables() []binding.TableIDType

func GetAntreaPolicyEgressTables added in v0.10.0

func GetAntreaPolicyEgressTables() []binding.TableIDType

func GetAntreaPolicyIngressTables added in v0.10.0

func GetAntreaPolicyIngressTables() []binding.TableIDType

func GetAntreaPolicyMultiTierTables added in v0.10.0

func GetAntreaPolicyMultiTierTables() []binding.TableIDType

func GetFlowTableName added in v0.6.0

func GetFlowTableName(tableNumber binding.TableIDType) string

GetFlowTableName returns the flow table name given the table number. An empty string is returned if the table cannot be found.

func GetFlowTableNumber added in v0.6.0

func GetFlowTableNumber(tableName string) binding.TableIDType

GetFlowTableNumber does a case insensitive lookup of the table name, and returns the flow table number if the table is found. Otherwise TableIDAll is returned if the table cannot be found.

Types

type Client

type Client interface {
	// Initialize sets up all basic flows on the specific OVS bridge. It returns a channel which
	// is used to notify the caller in case of a reconnection, in which case ReplayFlows should
	// be called to ensure that the set of OVS flows is correct. All flows programmed in the
	// switch which match the current round number will be deleted before any new flow is
	// installed.
	Initialize(roundInfo types.RoundInfo, config *config.NodeConfig, encapMode config.TrafficEncapModeType) (<-chan struct{}, error)

	// InstallGatewayFlows sets up flows related to an OVS gateway port, the gateway must exist.
	InstallGatewayFlows() error

	// InstallClusterServiceCIDRFlows sets up the appropriate flows so that traffic can reach
	// the different Services running in the Cluster. This method needs to be invoked once with
	// the Cluster Service CIDR as a parameter.
	InstallClusterServiceCIDRFlows(serviceNets []*net.IPNet) error

	// InstallClusterServiceFlows sets up the appropriate flows so that traffic can reach
	// the different Services running in the Cluster. This method needs to be invoked once.
	InstallClusterServiceFlows() error

	// InstallDefaultTunnelFlows sets up the classification flow for the default (flow based) tunnel.
	InstallDefaultTunnelFlows() error

	// InstallNodeFlows should be invoked when a connection to a remote Node is going to be set
	// up. The hostname is used to identify the added flows. When IPSec tunnel is enabled,
	// ipsecTunOFPort must be set to the OFPort number of the IPSec tunnel port to the remote Node;
	// otherwise ipsecTunOFPort must be set to 0.
	// InstallNodeFlows has all-or-nothing semantics(call succeeds if all the flows are installed
	// successfully, otherwise no flows will be installed). Calls to InstallNodeFlows are idempotent.
	// Concurrent calls to InstallNodeFlows and / or UninstallNodeFlows are supported as long as they
	// are all for different hostnames.
	InstallNodeFlows(
		hostname string,
		peerConfigs map[*net.IPNet]net.IP,
		tunnelPeerIP net.IP,
		ipsecTunOFPort uint32) error

	// UninstallNodeFlows removes the connection to the remote Node specified with the
	// hostname. UninstallNodeFlows will do nothing if no connection to the host was established.
	UninstallNodeFlows(hostname string) error

	// InstallPodFlows should be invoked when a connection to a Pod on current Node. The
	// interfaceName is used to identify the added flows. InstallPodFlows has all-or-nothing
	// semantics(call succeeds if all the flows are installed successfully, otherwise no
	// flows will be installed). Calls to InstallPodFlows are idempotent. Concurrent calls
	// to InstallPodFlows and / or UninstallPodFlows are supported as long as they are all
	// for different interfaceNames.
	InstallPodFlows(interfaceName string, podInterfaceIPs []net.IP, podInterfaceMAC net.HardwareAddr, ofPort uint32) error

	// UninstallPodFlows removes the connection to the local Pod specified with the
	// interfaceName. UninstallPodFlows will do nothing if no connection to the Pod was established.
	UninstallPodFlows(interfaceName string) error

	// InstallServiceGroup installs a group for Service LB. Each endpoint
	// is a bucket of the group. For now, each bucket has the same weight.
	InstallServiceGroup(groupID binding.GroupIDType, withSessionAffinity bool, endpoints []proxy.Endpoint) error
	// UninstallServiceGroup removes the group and its buckets that are
	// installed by InstallServiceGroup.
	UninstallServiceGroup(groupID binding.GroupIDType) error

	// InstallEndpointFlows installs flows for accessing Endpoints.
	// If an Endpoint is on the current Node, then flows for hairpin and endpoint
	// L2 forwarding should also be installed.
	InstallEndpointFlows(protocol binding.Protocol, endpoints []proxy.Endpoint, isIPv6 bool) error
	// UninstallEndpointFlows removes flows of the Endpoint installed by
	// InstallEndpointFlows.
	UninstallEndpointFlows(protocol binding.Protocol, endpoint proxy.Endpoint) error

	// InstallServiceFlows installs flows for accessing Service with clusterIP.
	// It installs the flow that uses the group/bucket to do service LB. If the
	// affinityTimeout is not zero, it also installs the flow which has a learn
	// action to maintain the LB decision.
	// The group with the groupID must be installed before, otherwise the
	// installation will fail.
	InstallServiceFlows(groupID binding.GroupIDType, svcIP net.IP, svcPort uint16, protocol binding.Protocol, affinityTimeout uint16) error
	// UninstallServiceFlows removes flows installed by InstallServiceFlows.
	UninstallServiceFlows(svcIP net.IP, svcPort uint16, protocol binding.Protocol) error
	// InstallLoadBalancerServiceFromOutsideFlows installs flows for LoadBalancer Service traffic from outside node.
	// The traffic is received from uplink port and will be forwarded to gateway by the installed flows. And then
	// kube-proxy will handle the traffic.
	// This function is only used for Windows platform.
	InstallLoadBalancerServiceFromOutsideFlows(svcIP net.IP, svcPort uint16, protocol binding.Protocol) error
	// UninstallLoadBalancerServiceFromOutsideFlows removes flows installed by InstallLoadBalancerServiceFromOutsideFlows.
	UninstallLoadBalancerServiceFromOutsideFlows(svcIP net.IP, svcPort uint16, protocol binding.Protocol) error

	// GetFlowTableStatus should return an array of flow table status, all existing flow tables should be included in the list.
	GetFlowTableStatus() []binding.TableStatus

	// InstallPolicyRuleFlows installs flows for a new NetworkPolicy rule. Rule should include all fields in the
	// NetworkPolicy rule. Each ingress/egress policy rule installs Openflow entries on two tables, one for
	// ruleTable and the other for dropTable. If a packet does not pass the ruleTable, it will be dropped by the
	// dropTable.
	InstallPolicyRuleFlows(ofPolicyRule *types.PolicyRule) error

	// BatchInstallPolicyRuleFlows installs multiple flows for NetworkPolicy rules in batch.
	BatchInstallPolicyRuleFlows(ofPolicyRules []*types.PolicyRule) error

	// UninstallPolicyRuleFlows removes the Openflow entry relevant to the specified NetworkPolicy rule.
	// It also returns a slice of stale ofPriorities used by ClusterNetworkPolicies.
	// UninstallPolicyRuleFlows will do nothing if no Openflow entry for the rule is installed.
	UninstallPolicyRuleFlows(ruleID uint32) ([]string, error)

	// AddPolicyRuleAddress adds one or multiple addresses to the specified NetworkPolicy rule. If addrType is true, the
	// addresses are added to PolicyRule.From, else to PolicyRule.To.
	AddPolicyRuleAddress(ruleID uint32, addrType types.AddressType, addresses []types.Address, priority *uint16) error

	// DeletePolicyRuleAddress removes addresses from the specified NetworkPolicy rule. If addrType is srcAddress, the addresses
	// are removed from PolicyRule.From, else from PolicyRule.To.
	DeletePolicyRuleAddress(ruleID uint32, addrType types.AddressType, addresses []types.Address, priority *uint16) error

	// InstallBridgeUplinkFlows installs Openflow flows between bridge local port and uplink port to support
	// host networking.
	// This function is only used for Windows platform.
	InstallBridgeUplinkFlows() error

	// InstallExternalFlows sets up flows to enable Pods to communicate to the external IP addresses. The corresponding
	// OpenFlow entries include: 1) identify the packets from local Pods to the external IP address, 2) mark the traffic
	// in the connection tracking context, and 3) SNAT the packets with Node IP.
	// This function is only used for Windows platform.
	InstallExternalFlows() error

	// Disconnect disconnects the connection between client and OFSwitch.
	Disconnect() error

	// IsConnected returns the connection status between client and OFSwitch. The return value is true if the OFSwitch is connected.
	IsConnected() bool

	// ReplayFlows should be called when a spurious disconnection occurs. After we reconnect to
	// the OFSwitch, we need to replay all the flows cached by the client. ReplayFlows will try
	// to replay as many flows as possible, and will log an error when a flow cannot be
	// installed.
	ReplayFlows()

	// DeleteStaleFlows deletes all flows from the previous round which are no longer needed. It
	// should be called by the agent after all required flows have been installed / updated with
	// the new round number.
	DeleteStaleFlows() error

	// GetTunnelVirtualMAC() returns globalVirtualMAC used for tunnel traffic.
	GetTunnelVirtualMAC() net.HardwareAddr

	// GetPodFlowKeys returns the keys (match strings) of the cached flows for a
	// Pod.
	GetPodFlowKeys(interfaceName string) []string

	// GetNetworkPolicyFlowKeys returns the keys (match strings) of the cached
	// flows for a NetworkPolicy. Flows are grouped by policy rules, and duplicated
	// entries can be added due to conjunctive match flows shared by multiple
	// rules.
	GetNetworkPolicyFlowKeys(npName, npNamespace string) []string

	// ReassignFlowPriorities takes a list of priority updates, and update the actionFlows to replace
	// the old priority with the desired one, for each priority update on that table.
	ReassignFlowPriorities(updates map[uint16]uint16, table binding.TableIDType) error

	// SubscribePacketIn subscribes packet-in channel in bridge. This method requires a receiver to
	// pop data from "ch" timely, otherwise it will block all inbound messages from OVS.
	SubscribePacketIn(reason uint8, ch chan *ofctrl.PacketIn) error

	// SendTraceflowPacket injects packet to specified OVS port for Openflow.
	SendTraceflowPacket(
		dataplaneTag uint8,
		srcMAC string,
		dstMAC string,
		srcIP string,
		dstIP string,
		IPProtocol uint8,
		ttl uint8,
		IPFlags uint16,
		TCPSrcPort uint16,
		TCPDstPort uint16,
		TCPFlags uint8,
		UDPSrcPort uint16,
		UDPDstPort uint16,
		ICMPType uint8,
		ICMPCode uint8,
		ICMPID uint16,
		ICMPSequence uint16,
		inPort uint32,
		outPort int32) error

	// InstallTraceflowFlows installs flows for specific traceflow request.
	InstallTraceflowFlows(dataplaneTag uint8) error

	// Initial tun_metadata0 in TLV map for Traceflow.
	InitialTLVMap() error

	// Find Network Policy reference and OFpriority by conjunction ID.
	GetPolicyInfoFromConjunction(ruleID uint32) (string, string)

	// RegisterPacketInHandler uses SubscribePacketIn to get PacketIn message and process received
	// packets through registered handlers.
	RegisterPacketInHandler(packetHandlerReason uint8, packetHandlerName string, packetInHandler interface{})

	StartPacketInHandler(packetInStartedReason []uint8, stopCh <-chan struct{})
	// Get traffic metrics of each NetworkPolicy rule.
	NetworkPolicyMetrics() map[uint32]*types.RuleMetric
	// Returns if IPv4 is supported on this Node or not.
	IsIPv4Enabled() bool
	// Returns if IPv6 is supported on this Node or not.
	IsIPv6Enabled() bool
}

Client is the interface to program OVS flows for entity connectivity of Antrea.

func NewClient

func NewClient(bridgeName, mgmtAddr string, ovsDatapathType ovsconfig.OVSDatapathType, enableProxy, enableAntreaPolicy bool) Client

NewClient is the constructor of the Client interface.

type ConjunctionNotFound

type ConjunctionNotFound uint32

ConjunctionNotFound is an error response when the specified policyRuleConjunction is not found from the local cache.

func (*ConjunctionNotFound) Error

func (e *ConjunctionNotFound) Error() string

type IPAddress

type IPAddress net.IP

IP address calculated from Pod's address.

func NewIPAddress

func NewIPAddress(addr net.IP) *IPAddress

func (*IPAddress) GetMatchKey

func (a *IPAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*IPAddress) GetMatchValue

func (a *IPAddress) GetMatchValue() string

func (*IPAddress) GetValue

func (a *IPAddress) GetValue() interface{}

type IPNetAddress

type IPNetAddress net.IPNet

IP block calculated from Pod's address.

func NewIPNetAddress

func NewIPNetAddress(addr net.IPNet) *IPNetAddress

func (*IPNetAddress) GetMatchKey

func (a *IPNetAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*IPNetAddress) GetMatchValue

func (a *IPNetAddress) GetMatchValue() string

func (*IPNetAddress) GetValue

func (a *IPNetAddress) GetValue() interface{}

type OFEntryOperations added in v0.6.0

type OFEntryOperations interface {
	Add(flow binding.Flow) error
	Modify(flow binding.Flow) error
	Delete(flow binding.Flow) error
	AddAll(flows []binding.Flow) error
	DeleteAll(flows []binding.Flow) error
	AddOFEntries(ofEntries []binding.OFEntry) error
	DeleteOFEntries(ofEntries []binding.OFEntry) error
}

type OFPortAddress

type OFPortAddress int32

OFPortAddress is the Openflow port of an interface.

func NewOFPortAddress

func NewOFPortAddress(addr int32) *OFPortAddress

func (*OFPortAddress) GetMatchKey

func (a *OFPortAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*OFPortAddress) GetMatchValue

func (a *OFPortAddress) GetMatchValue() string

func (*OFPortAddress) GetValue

func (a *OFPortAddress) GetValue() interface{}

type PacketInHandler added in v0.8.0

type PacketInHandler interface {
	HandlePacketIn(pktIn *ofctrl.PacketIn) error
}

Directories

Path Synopsis
Package cookie implements a cookie allocator.
Package cookie implements a cookie allocator.
Package testing is a generated GoMock package.
Package testing is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL